Skip to main content

tv   Book Discussion on At War  CSPAN  December 20, 2014 8:00am-8:54am EST

8:00 am
of the time in which they lived and at 10:00 for nbc news anchor tom brokaw on his more than 50 years of reporting on world events. that is this christmas day on the c-span network. for a complete schedule goatee c-span.org. .. >> booktv, television for serious readers.
8:01 am
>> shane harris talks about the military's use of cyberspace to wage war. he discusses the involvement of private companies like google and microsoft in this fifth domain of warfare. this hourlong program starts now on booktv. >> i'm pleased to welcome shane harris this evening to discuss his new book, "alt war: the rise of the military complex," in which he chronicles the fifth domain of warfare. he explains how government agencies are teaming up with the likes of google and microsoft to monitor cyberspace and collect information and what that means for us as individuals and a nation. this is harris' second book. "the watchers: the rise of america's surveillance state," won the helen bernstein book award for excellence in journalism. he's currently a senior writer covering intelligence and
8:02 am
national security at the "the daily beast," he's also worked as a senior writer for "foreign policy," and his work has appeared in "the new york times," the "wall street journal" and "the washington post." he's also a fellow at the new america foundation. we're pleased to welcome him back for his second appearance at politics & prose. please help me welcome shane harris. [applause] >> thank you very much for that great introduction. thank you all for coming out on a night like tonight. you could be sitting on veranda someplace drinking wine and enjoying this summer evening that we're having. so i'm glad you chose to come out here and spend it with me. it's great to see so many friends and colleagues as well. i've been touring around with the book and speaking at a number of bookstores around the country, and this one really is just prized for the way that it brings people out in the community, and it's so great to
8:03 am
see such a large gathering. this is great for a book talk, so thank you very much. you're making me very happy. so, um, this booker, @war, it's a story, but it really is a narrative about how it is that cybersecurity became sort of a fixation and a top priority for national security in the united states right now. cybersecurity, which we define as broadly speaking or threats in cyberspace to include espionage, cyber crime, attacks over computer networks that can damage physical infrastructure like disrupting power grids or disabling water utilities or affecting banks, the risk of these attacks for the past two years has topped the intelligence community's list of global threats. every year the intelligence community puppets out sort of the -- puts out sort of the big things that keep people up at
8:04 am
night. james comey, formerly the deputy attorney general, has said that the risk of cyber attacks and a related rise in cyber crime will be the most significant national security threat over the next decade. and he's putting that at the top of the list above terrorism. just last week the director of the national security agency, michael rogers, testified before congress that cyber attacks were costing hundreds of billions of dollars to u.s. companies and that multiple foreign governments had probed the systems that control and regulate our electric power grid. he said this is not theoretical, quote: a truly significant, almost catastrophic failure will occur if we do not take action. so how is it we got to this point where all of our top national security officials are telling us that the risk of a catastrophic cyber attack, espionage against u.s. companies is the thing we should be most worried about, and what does that mean for all of us who
8:05 am
exist and use -- exist in cyberspace and use the internet every day? and that book tries to answer those questions. it starts with a story, and for -- appropriate, i guess, for a book like this a rather scary story, which i'll relate to now. this begins in the summer of 2007. the ceos of the major defense contractors, the raytheons and northrop grummans of the world, are called to a meeting at the pentagon. they figure if they've all been called here on short notice, this can't be good news. they are ushered into a room called a sensitive compartmented information facility. if you're a fan of homeland or spy movies, it's the thing where you have to drop your cell phone outside before you go in sort of sound-proof room that is actually impermeable to eavesdropping. you only receive the most secret of secrets. and these executives are brought
8:06 am
in and sat down and given what's called a threat briefing where a number of military officials describe to them how hackers, believed to be in china, are accessing computer systems that contain some of the most classified information in the military, specifically things like plans for the joint strike fighter, the f-35 which is to be our next generation military aircraft, as well as a number of other military programs have all been overrun by cyber spies. that seems pretty scary to these ceos, but what's even more scary is the spies did not access the information by getting into military networks, they got into the networks of these companies, the ceos' companies. these hackers had made an end run around the pentagon's rather formidable cyber defenses and attacked contractors instead that were working on some of the most sense ty military programs. -- sensitive military programs. a lot of executives went in with dark hair, and when they came out, it had turned white. they were very disturbed to find
8:07 am
out not only had these spies gotten into their systems, but that they knew very little about it. the pentagon says to them you have a security problem, therefore, you have a security problem. we have to do something about this, and you're going to take our help. what begins at this point is something that i think really epitomizes our current national approach to cybersecurity. the pentagon teamed up with these contractors in an information and intelligence-sharing arrangement. the contractors agreed to report to the pentagon threats that they were seeing on their network including when they had been breached. the pentagon agreed not to disclose this publicly because companies do not like to say when they've had hackers inside their network. and in return the pentagon was going to provide these corporations with information that it was gathering from its own intelligence operations. effectively, the fruit of espionage that agencies like the nsa were gathering about these threats in china and how they might affect american
8:08 am
businesses. so this partnership, essentially, sets up whereby private sector and public are coming together for the mutual purpose of defending these computer networks. the companies are essential in this arrangement, and this is true across the board when we talk about defending critical systems in the u.s. companies own roughly 85% of the network infrastructure in the united states. the government does not physically control it. so companies have to participate with the government in this intelligence-sharing and mutual security arrangement if we're actually going to protect the internet. the effort that began after that pentagon meeting became something known as the defense industrial base initiative or the dib which occurs throughout my book. about a hundred companies are members in this today. there were only a dozen or so when it began in late 2007. this model has now been expanded to other sectors of the economy beyond the defense industrial base. so today the national security agency, via the homeland
8:09 am
security department, showers this kind of threat intelligence -- shares this kind of threat intelligence with internet service providers in the hopes that they will then program those threat signatures into their own systems scanning for malicious software and intrusions and then protect the people who are their customers downstream. big name technology companies have struck up relationships with the intelligence community. one that i write about in the book is google. google, obviously, has a privileged kind of peering into networks all over the world. they move much of our communications traffic that we're all using every day. google struck up a secret relationship with the nsa in 2010 after it was hacked by chinese spies where they agree, much like the defense contractors, to share information that they're seeing on their network in turn for the nsa providing information to them. so defending cyberspace and also spying in it and attacking in it has actually become a cooperative effort between the
8:10 am
government and intelligence community and its technology industry. that is what i'm referring to, this coming together of these two powerful forces. and i am deliberately hearkening back to president eisenhower's military industrial complex speech from 1961 which i'll talk about later. so this arrangement begins at the tail end of the bush administration, and it took a number of years for president bush and some of his senior national security advisers to start taking the threat of cyber attacks and cyber espionage seriously. there had been talk about this at the highest levels of government for years. president bush was famously not the most technologically inclined chief executive. he once said that he used "the google" to look at satellite images of his ranch in texas. not to pick on president bush, president clinton reportedly only sent one e-mail in the entire time he was in office. the internet was a fairly
8:11 am
nascent infrastructure at the time. where this takes off, not surprisingly, is under president obama. who, of course, used the internet masterfully in his campaign, very much our first internet president, you might say. president obama actually got a firsthand experience with cyber espionage when he was on the campaign and his campaign e-mail system was hacked by spies believed to be in china. as an equal opportunity offender here, they hacked john mccain's e-mail system as well. so obama comes into office with a firsthand kind of glimpse of this and a real appreciation for the vulnerabilities in cyberspace. and pretty much from day one when he's given his briefings, his classified briefings about various national security threats, cyber is placed very near the top. so not one to waste time, he adds a whole new dimension to the government's approach for dealing with this threat. in may 2009 obama gives a speech in the east room of the white house, and east room if you've
8:12 am
been there, it's a very, very large room, and it's reserved only for the most momentous of speeches that the president wants to give when he really wants to draw attention to it. so he gives a speech, stands up and unveils his plan for securing cyberspace. he says that his campaign e-mail was hacked. he actually acknowledges that the electrical grid, the systems that control the grid had been probed by outsiders. he doesn't say government, and he doesn't name them, but this is the president of the united states standing up and saying effectively our critical systems -- the things that control the machinery that we depend upon for our daily life -- are vulnerable and wide open to attack, and he intends to do something about it. again, hearkening to this model that has developed, he says, quote: the vast majority of our critical information infrastructure in the united states is owned and operated by the private sector. we will collaborate with industry to find technology to insure and secure and promote our prosperity. the internet is a strategic
8:13 am
national asset, and we intend to protect it as such. so you have obama really defining cyberspace as a national asset even though it is something that is largely privately owned. so there's attention there as well. he sets out on a very ambitious program of putting the government at the center of efforts to try and secure cyberspace. not to try and is control that, but to try and influence it. and i write more about this in the book. what's important here is that obama, just like bush before him, is starting to see and to describe cyberspace as a battlefield. the military now refers to cyberspace as the fifth domain of warfare after land, air, sea and outer space. and it views trying to achieve supremacy there as vital as it is in the other four. to give you some sense of kind of how the military has prioritized this in particular, it's always good to follow the money in washington, as we know. so if you were to take a look at
8:14 am
the budget, the defense budget for cyber programs, in 2014 just in cyber defense programs mostly on protecting government computers and sharing intelligence with industry, the government allocated $13 billion on cyber defense programs. this doesn't even touch the offensive side of the ledger or intelligence agency programs. so $13 billion on defense. putting that in perspective, in 2014 the government plans to spend $11.6 billion on direct efforts to combat climate change which president obama called in his speech, quote: the greatest threat of our time. so $13 billion on cyber defense, $11.6 billion on climate change. the 2012 pentagon budget had the word "cyber" in it 12 times. the 2014 pentagon budget has the word "cyber" in it 147 times. so a twelvefold increase just in the mention of the world. n., it's become sort of a -- in fact, it's become sort of a joke
8:15 am
that it's really the only part of the dod budget that's growing. if you want money for your project, just slap the word "cyber" on it. [laughter] a couple of weeks ago, the senior dod official joked he was starting to see a lot of proposals for things like cyber tank crossing his desk. [laughter] no such thing as a cyber tank. so government officials have really taken to talking about our vulnerabilities and the way that we're victimized, the way that our companies are being robbed by spies which is true. but i think that they're doing this, there's a bit of a cynical calculation in here. kind of playing the victim is a good way of focusing national attention and drumming up money for defense programs. but it tends to obscure the other side of the story, which is what this book is also about. we're quick to be a victim, but we are doing many of the same things that we blast other countries for doing to us and to our corporations. we really have become masters in
8:16 am
offense in cyberspace. we have become very good at waging cyber warfare. and, in fact, it is going to become an integral component of how we fight wars in the future. and one story i like that i tell in the beginning of the book that i think really captures how cyber is being integrated into the physical realm of how we fight wars, this actually takes place also in 2007. there's a lot of 2007 activity in this book, if you read it. you'll see this. it's kind of the year things took off. that was the -- in 2007 you'll remember that president bush ordered tens of thousands of additional combat troops to iraq as part of the surge which was engineered to quell violence that was spiraling out of control in iraq, to prevent a civil war and in particular to do battle with an insurgent terrorist group known as al-qaeda in iraq which later morphed into isis which we're hearing a lot more about today. so those tens of thousands of troops go, we form alliances
8:17 am
with sunni tribes to turn them against al-qaeda in iraq. these are two pillars of the surge strategy, but there's a third pillar that i report about in the book. the nsa tapped into the telecommunications and internet infrastructure of the country of iraq and effectively owned the entire networks of the country of iraq. it intercepted every cell phone call, every e-mail message, every text message. now, what was it doing with all this information? partly, it was to try and understand the way that these groups, these terrorist networks had organized themselves by studying the patterns of their communications. i write about a guy in the book named bob who was a young army lieutenant at the time who had deployed to iraq and was working in the signals intelligence group. so gathering up electronic communications for the army and working with the nsa. bob was a real fan of the hbo series "the wire." have people watched this show? familiar with it? right? there's a character that's an
8:18 am
old police detective named lester freeman who decided he's going to unlock the hierarchy of the drug rings in baltimore who these shadowy players are not by walking the beat and trying to tap human sources, but by monitoring their cell phones. and particularly, the dispose able cell phones that they use for a couple of calls and throw away. lester starts mapping out the networks of who these people are and who is important in the hierarchy. well, bob did this as well. this information was then handed off to ground forces, boots on the ground, who would then go out and find these insurgents and capture or kill them. some more of the daring exploits that i write about, they started sending fake text messages to individual insurgents posing as people that they knew and directing them to meet at a particular place where when they got there, they fell into a trap. they penetrated web sites that were used by these groups and
8:19 am
implanted spyware so when people would go the these chat forums, their computers were being infected with spyware that would hone in on their location. this was really ingenious hacking with a physical goal. this wasn't just to steal information, it was to locate people and to help a war effort on the ground. cyber was being integrated into this conventional military conflict. the people i interviewed for the book will say absent this particular dimension of the surge, the surge does not staunch violence in iraq, it does not become this temporary victory that we all know now where we did prevent a civil war and managed to bring some stability back to the country. this was the secret weapon. the surge was won by a cyber war campaign. david petraeus, not one given to hyperbole, said publicly that this intelligence-gathering operation was, quote: a prime reason for the significant
8:20 am
progress made by u.s. troops in the surge and was, quote: directly responsible for enabling the removal of almost 4,000 insurgents from the battlefield. you can actually chart where the surges of violation goes down, and -- violence goes down and how the intelligence operations were ramping up. so iraq changed the way that the nsa spied, but it also changed the way the united states fights wars, and it showed us that cyber operations will be a part of that. so why does this matter to us, right? i argue that in the book in the government's zeal, particularly the national security agency's efforts to dominate cyberspace -- and the nsa is really the center of gravity of our cyber operations -- that the government is doing things that fundamentally undermine the security and the protections of the internet that we all depend upon. and it's making it actually a less safe place for all of us to operate. give you a couple of examples.
8:21 am
nsa's in the business of spying on and breaking into technology. well, we all use commercial technology that is found in other countries as well. there's no proprietary u.s. systems or proprietary other foreign systems. a lot of this is ubiquitous foreign technology. the nsa is constantly looking for ways to find flaws in softwares and computer operating systems that would give them a way into a system that no one else knows about. these are frequently called zero day absolutely necialtds, meaning that once someone has found a particular way into a computer and nobody else knows it, there would be zero days to defend against it if you chose to attack it or exploit it. so the nsa is gobbling up and hoarding this information in order to build offensive capabilities. cyber weapons, if you like. one might argue if nsa is in the business of defending national cyberspace, you should be disclosing the vulnerabilities and letting the public know about it. imagine that the nsa was sort of
8:22 am
a security guard in your neighborhood or a cop on the beat and it found there was an open window in your house but didn't tell you, or found there was a flaw in all the windowing with used on the block -- being used on the block but didn't tell anybody? that's the analogy i look in the book. not telling the public about them, the nsa is essentially not doing its job of making the internet safer. another example is the nsa's efforts to undermine something called encryption. you may not be familiar with this, but encryption is basically a way of jumbling up a communication so that only you and the recipient can unlock and understand what it says. you can use encryption in your e-mail, end description may be be -- encryption may be used with your bank to make sure that your account data can't be stolen. we know the nsa has been secretly inserting flaws into encryption products that are then marketed with the seal of of approval of the nsa.
8:23 am
and we know of some instances in which they've been putting an endorsement on a product that they know to be flawed in a way that only the nsa thinks it understands. this would be sort of like if the nsa -- if the government was marketing a particular kind of door lock and said, everybody in america, go buy this lock for your front door, it can't be penetrated, but the nsa has a a key for that lock, and it's actually not hidden that well. part of its mission to dominate is actually making cyberspace less safe for all of us and putting us at risk. all of this has emerged, the story that i write about in the book, with practically no debate and with, actually, very little reporting and public commentary. this con junction of a huge war-fighting machine with a growing technology i have is, i think as president eisenhower described the military
8:24 am
industrial complex of a previous generation, quote: new in the american experience, and it is changing how we use the internet and exist in this fifth domain. i think cyberspace is too vast, too pervasive and too important to how we live now to allow a single entity or any alliance to govern it or dictate the norms of behavior. and i argue in the book that this authority should certainly not be vested inside a secret intelligence agency. there's no neat way to define cyberspace, and i don't attempt to do so in the book. it's not a commons, but it's also not private. we've come to depend upon it like a public utility, like electricity and water, but it is still mostly a collection of privately-owned devices which makes making policy in this area particularly difficult. yet cyberspace is undeniably a collective which is why i think it's incouple p bent upon everyone who touches it, all of us, to take a stake in how we treat it and define the, quote:
8:25 am
essential agreements of great moment, the wise resolution of which will better shape the future of the nation. thanks for your attention, and i'll be happy to take your questions. [applause] so if you could come to the microphone, because this is being recorded not by the nsa, as far as i know. [laughter] and, yeah. yes, please, thanks. >> thank you for coming. the director, director comey, he has said several times in recent weeks that he is very much opposed to what google and apple have done with their encryption technology, making it so that even google and apple if they wanted to, they couldn't decrypt their own devices. do you think the director will be successful in any effort to force google and apple to change their current -- >> right. >> yeah. >> the short answer is i think probably not. you know, at least not in the near term. what's interesting about this
8:26 am
argument, this is jim comey has come out and basically said among other things that this device, for instance, the iphone 6 is, essentially, a threat to law enforcement, an obstacle to law enforcement because if you arrest somebody with this phone and they've encrypted it, it cannot be unencrypted including by the manufacturer. so only i know the code, and if i'm not giving it up, the fbi's not getting into it. i think this is actually sort of a proxy for a much larger mission that the fbi has been on to extend surveillance authority to the internet. without getting too much into the weeds of it, there are laws in place that require telephone companies to build their networks in certain ways so that they can be tapped when the fbi or another agency has a lawful order to intercept communications. but internet technologies and p companies like google and apple have never been precisely or neatly governed by that law, and the fbi would like them to be. so i think that director comey, who i know and think very highly of, is overstating the particular risk that this device
8:27 am
poses to law enforcement, and he's actually really should be talking about the broader debate which is the fbi wants to extend for surveillance authority to cyberspace. >> thank you. >> i'm wondering how paranoid we should be. [laughter] >> everyone asks that question. >> you know -- [laughter] you know, you're not paranoid if it's real. >> right. >> you know, i was afraid to go to certain web sites like wikileaks, that it would flag something, and i thought i was being overparanoid, and then nsa stuff broke, and it turned out to be much worse than i could have imagined. i know someone at homeland security who has a high position, and i told her i was -- i just wanted to check out wikileaks, and she said don't go to wikileaks, and i figured she was in a position to know. i'm wondering if you access certain web sites, are you flagged? what if i wanted to learn about al-qaeda and just wanted to learn what it believes in? >> right. >> are they watching everything? what you said in iraq, they had
8:28 am
control of everything. >> right. iraq was a very particular example, obviously, because it's not the united states. so we should remember there are, there are surveillance laws and restrictions in place for what the nsa and the fbi in particular can do with american citizens' individual communications. they cannot listen to your phone calls without a warrant, they can't -- they can't read your e-mails without a warrant. >> is that right? >> that's right. -- it may not necessarily be the case, but it is correct if they want to monitor your individual phone call, target you, they need a warrant to do that. if you are in communication with someone overtea seas -- overseas, however, and that person's communications are scooped up which doesn't require a warrant the same way it does for you, and your information is collected incidentally to that collection, the government can go back, search through the data that's been collected and come across your information and read it without a warrant because the presumption is that it was
8:29 am
lawfully collected in the first place. yeah, i know. it kind of puzzles me, too, and this is a debate that's going on right now within the corners of national security law that cover this stuff. it's very difficult to know at any particular given time what legal theory the government is using to access certain kinds of information. they use different parts of the law to access different kinds of information. but i think it's safe to say that if they can find a way to technically and legally acquire information, they probably will do it. so that would lead us to conclude that the rules should be tight on how -- on the use of information as opposed to the acquisition of the information. i don't know if that puts your mind at ease any about -- >> not at all. >> -- certain web sites that you can go to. [laughter] >> so are certain things flagged? >> i don't know if you were today to go visit wikileaks that it would necessarily flag you. if you were on a government computer, it would. >> yeah. >> yeah. if you were -- in fact, government employees have been
8:30 am
told do not go to wikileaks because there's classified documents displayed on it. whether or not you sitting here today from your computer in washington, d.c. would that be flagged? i don't think so. [laughter] >> that's reassuring. >> yeah. [laughter] >> hey, shane. >> hi. >> so what do we know about how much stuff we can do to them? >> yeah. so you can pretty much be sure that anything that we're afraid of people doing to us we can do to them, and we very well may have already done out. the first half of the book really is about the offensive side of cyber war, and i don't want to give everything away and spoil the story, but -- >> go ahead. >> what's that? >> go ahead. >> go ahead, go ahead. thanks, john. >> i already bought the book. >> okay, good, then you're fine. everyone else, plug your ears. [laughter] we have, the military and the nsa have are, i should say, very elite cadres of hackers. there's actually one group that
8:31 am
i write about called the tailored access operations unit, and they're sort of like the impossible mission forest of nsa hackers -- force of nsa hackers. these are the guys that they call in. in fact, some of the people i write about in the book actually have worked in it. so we are very, very good. the problem is that we don't have enough people to go out and wage these operations compared to our add adversaries. that is, if we are measuring this in terms of if we were to ever go to war with a big country in cyberspace, how would we match up against them? the chinese have thrown thousands more people at gathering espionage -- information from companies that we have digital spies going out and gathering information. our advantage probably comes from our technological prowess. just today, in fact, there was news -- you may have read about this -- this new computer virus that was discovered called regin, i'm not exactly sure how to pronounce i want. reagan. it's reagan. it's a name from no, sir
8:32 am
mythology -- norse mythology. this fascinating piece of malware that was discovered and dissected and found that it could, basically, gather huge amounts of information from computer systems and barely be detected. it was probably engineered around twist and looks suspiciously like another computer virus called stuxnet which we know that the nsa designed. we haven't confirmed it yet, but there are very few countries in the world that could design something that sophisticated, and we are one of them. so we're very good on the offensive side of it. >> just follow up. i once recently spoke with a british intelligence officer cyber guy who said that the chinese get into everything but the people they're really most afraid of are the russians because they don't leave fingerprints, and we don't know what they can do. we only know they're good. is that accurate? >> i think that is accurate. the russians also have incredible prowess. the chinese are shameless about
8:33 am
it, and they deny everything. the russians are very, very good at covering their tracks. you have a lot of, well, you know, several years ago after the demise of the soviet union, you had a lot of very highly skilled computer engineers with suddennenly, you know, not -- suddenly, you know, not great employment prospects. a lot of these people have gone to work for criminal organizations, and the russian government not only turns a blamed eye to this, they aid and abet it to some degree. financial crime in particular. i was told by one senior u.s. official who works on cyber investigations that they have found a number of cases where they're zeroing in on a russian hacker, and they find out that the russian government tipped them off and said they're on to you. so we're dealing with a government and an apparatus that is very highly skilled and, as you said, is good at not leaving traces. >> um, this is a slight aside, but you mentioned that the internet is not a utility in the united states, and it's not legislated as one or anything in
8:34 am
that way. but if the fcc changes its rules, if the obama administration gets them to treat it as a utility, do -- what sort of effects do you think that would have in this arena? >> um, i think it would make it a lot easier for the government to regulate and enforce security standards. so to tell companies you must implement the following minimum security protocols and procedures. and president obama, i think it was last week in his weekly address, talked about treating the internet as a utility. now, this was sort of in the context of net neutrality and the debate over whether or not companies should be allowed to charge more for higher volumes of traffic. but what i found striking about that was, wait a second, if you treat the internet as a utility, the government can regulate it, and that means they can regulate security just like they regulate security at food processing plants and, you know, any number of physical infrastructure facilities. the fcc, as you said, would have
8:35 am
to go along with this. but if that happened, i suspect that would open the door to much tougher government regulation of security. and we have been having this debate, by the way. there are those who very much favor government coming in and regulating this. the flipside of that, and i write about this in the book too, the threats are evolving so fast that there's no guarantee that the government is going to know what the most up-to-date intelligence is. and, in fact, a number of companies including google have received threat briefings from the government and been very unimpressed by what they've been told because they say we've already heard about this. private security researchers already know about this, tell us something else. so there's no guarantee that the government has the right answer for setting security standards. >> would you comment on congressional oversight with respect to the military internet complex? i get the impression that way too many of our elected representatives are totally out
8:36 am
of their depth when it comes to these kinds of questions. >> right. there is, there's a technological learning curve, to be sure. yeah. i mean, i think that -- look, intelligence oversight in general is, i've been a critic of it for a long time. i think it's pretty anemic, and a lot of this activity is taking place under the auspices of an intelligent agency, the -- intelligence agency, the nsa. where congress has mostly been focusing is on legislation that would try and set some of these basic minimum standards for security that companies would have to follow. and those efforts have been shot down largely at the we he's of -- behest of companies who fear regulation. so i think this is a real issue, and i think if legislators aren't smart about this and really becoming more proficient in the language of technology, they risk being duped, frankly, by intelligence officials who are persuading them that the threats are maybe more severe
8:37 am
than they actually are and persuade them to give them money that they maybe don't need and authorities that they don't need either. it's very much incumbent upon congress to not simply take the word, you know, the intelligence agencies' words for it. yes, there are threats in cyberspace, but they need to get a lot more in depth and fluent in the complexities of those threats before we begin, you know, making permanent laws. >> so if i can actually follow up on this lady's question with a very brief intro that a few of us in this room have worked with shane in his, in his journalistic capacity. it's been gratifying. he's a great journalist, and it's been gratifying to see the scope of his work and no doubt a lot more is to come. but to take the -- and so really to pose a journalistic question, if i can do that, take today's news about secretary hagel moving on. i notice that his name's not
8:38 am
indexed here. i assume that may say something about hagel. i'll give you a couple of ways of going at it. is there something that hagel should have done, could have done, or is it just too much nsa, and then that leads to the question of the next defense secretary and the senate and changes in congress, republicans taking the senate, new chairman in the house. what would you advise them to do, what kind of policy issues should they be focusing on? >> yeah. i do think in general there's too much authority and leadership on the issue vested in the national security agency. we do have this new organization, it's about four years old now, called u.s. cyber command, and it's meant to be a combatant command like central command which is running the war in iraq and afghanistan. i think that if you're going to start talking about cyber operations and warfare and integrating that into military doctrine, that should be run by a military organization, not by
8:39 am
an intelligence agency. now, the nsa is also a military organization, it's a military intelligence agency. the head of that agency is also right now the commander of cyber command. so you can see how the deck is sort of stacked in favor of nsa. hagel never made any, very few public statements at all about cybersecurity and cyber warfare. i hope that the next defense secretary will come in and start to make it a priority to get some of those authorities out of the agency and put them over with cyber command where i think they more properly belong. i think you actually can get better oversight of a military organization than you can of the nsa. >> if i can interrupt with one other follow on. >> go to the mic. >> follow on -- thank you, follow-on question. is this another part of kind of defense policy where the white house and the nsc or even the justice department has scooped up some of the sexy aspects, the hot button kinds of issues?
8:40 am
>> to some extent, yeah. the white house certainly was, you know, involved and aware of what the nsa was doing in this realm. but, you know, there's somebody i write about in the book, keith alexander, who was the director of the nsa, longest serving director and just retired recently. he managed to really accumulate a lot of the bureaucratic momentum and the sort of mojo, really masterful at it. there's some people in washington who can do that. leon panetta, actually, was another one, hagel's predecessor who fared better in the job than secretary hagel. and understood cyber threats, too, by the way. i think a lot of this was kind of captured by the agency, and the white house probably needed to get more involved as kind of the gatekeeper via the national security adviser of setting these policies. i thought that obama kind of kicking off in the east room of the white house in 2009 and making it a national security priority -- and it is, it definitely is. but then i feel like the energy
8:41 am
slipped a bit away from the white house. so the political momentum was coming from there, but the real bureaucratic engine of it was at this other agency, and i think knew you need to -- now you need to take some of that authority back. >> you mentioned our water systems and the electric grid. could you say some more about the internet of things and other systems that might be on it like, for instance, do they really run metro off the internet? [laughter] >> so the internet of things is this notion that everything that is -- every device is now connected to the network; your appliances, you know, your phone, you know? the air traffic control system. i don't know specifically whether metro is run via the internet, but it absolutely could be. it creates these marvelous efficiencies and this interconnectedness, and it makes our life easier. but the more devices you put on the network, the more vulnerable those devices are. i mean, definitionally anything that is connected to the network can be hacked, can be
8:42 am
compromised. you'll often hear how the internet was not designed with security in mind, sort of one of these tropes. it began as a research network, and nobody ever thought about protecting it. well, that's generally true. as we keep adding more and more devices to the network, we're not putting the security of those devices and the people who use them, first and foremost. i think that's going to change the more that you see some of these higher profile breaches with things like the home depot and the target breach. you know, data being stolen. as some of these devices start to fail or be manipulated, i think you might see some real urgency on the part of the users of those devices to start protecting themselves. it's going the take people getting, you know, wounded really, i think, to focus the attention. yes. >> we're going to have to -- we'll take the questioners already lined up, but after that i think -- >> well -- >> promise to go fast. >> this will be, this will be quick. this is not universally important, but i manage a web site that is connected, that is
8:43 am
part of my church community. in october we had a huge spike of hits on the web site, and the dashboard report showed that almost 50% of those hits on the web site came from china. does that mean the red army is monitoring our church web site? >> it depends what you know, what are you into? >> i mean, it's totally innocuous. it's important for those of us in the community but could not possibly have any kind of universal -- >> i think it's a subversive group shipping propaganda in china maybe. >> is there some point we should be concerned about this kind of -- >> right. >> i mean -- >> well, you should always be concerned about somebody who's not supposed to be in your network and your system being in
8:44 am
it. but in a way, as bizarre as it sounds that your church group would be being picked by the chinese -- pinged by the chinese, at the same time, it doesn't surprise me at all. their whole mo is to throw lots of bodies at the problem and see what sticks. who knows why they were poking around that day on your church web site. >> yeah. so the question is, you know, should we be concerned, or is there anything that we can do? >> you should have good network security, and if you have somebody managing your web site, make sure you have the right protocols and antivirus in place, and do not open any e-mails from people that you don't know. be careful about opening e-mails from people that you do know. i know i'm telling you to be really, really scared, but there are basic procedures you can take to make yourself less vulnerable. and if they're not pinging the network and not getting in, you know, don't worry too much. yes. >> hi. just wondered if you could speculate a little bit about the future and sort of make an
8:45 am
analogy. do you foresee a point in the future where there's something roughly similar to mutually, mutual assured destruction evolving? this is with respect to cyber warfare and especially, as you say, all-out cyber warfare. or is there any technical reason why, um, if somebody took the first step, that they'd have a decided advantage and be thinking about the power grid or whatever? >> right, right. first strike capability. >> yeah, right. >> yeah. a lot of the cold war mod pells work up to a point -- model es work up to a point. mutually assured is one. there are a lot of incentives for large nation-states not to attack our critical systems. the chinese aren't going to crash the american financial system because they're our biggest lender, so anything they do to us is going to flow back on them. i think that if there was a, an attack on the power grid to shut the lights off in a major city and we believe that it was coming from china, we would probably have bombers on the way
8:46 am
to beijing because we would presume that was the opening salvo to some kind of larger military campaign and not necessary hi an isolated -- necessarily an isolated event. but where this starts to break down is mutually assured destruction worked because we knew it would be the soviets firing the missiles at us a, and they knew it would be us firing at them. it is not that easy in cyberspace to attribute the source of the attack. you've frequently heard this referred to as the at transcribes problem -- attribution problem. i write in the book about how i think the government has gotten a lot better at attribution than they would like to let on, but that is where the deterrent model breaks down. if someone were to effectively cloak where they came from, we wouldn't necessarily know who to retaliate against. so that's, you know, where we find ourselves sort of groping for how do we deal with cyber space. that's a huge, unanswered question. >> hi. i'm sor of the -- sort of
8:47 am
interested in the education aspect of this. there was an article in the a little while back -- in the post a little while back about certain universities that are training the next generation of cyber warriors or so-called white hat hackers. >> right. >> but if you've read anything about, say, anonymous, you know that the relationship between being white hat and black hat can be very slippery. >> uh-huh. >> so i'm wondering if the government is involved in the educational process at all? are they awar of these programs? are they working with these programs? is there a military, internet education complex? >> yeah. >> there is? >> yeah. so nsa, actually, for a number of colleges and universities helps write curriculum in cybersecurity. and it does that because it wants to help field and educate a new generation of potential employees. it has a program whereby they will pay for the four-year degree in computer science and engineering of someone, and then that person comes and works for the nsa for four or five years
8:48 am
to pay them back. i actually interviewed one person about this who went to school thanks to the nsa, became a hacker, went to work for the agency for five years and then left and started a private cybersecurity start-up in silicon valley. so, yes, there's absolutely a connection between those. and the nsa in particular feels like colleges and universities are where a lot of the next best talent's going to come from, and it's taking steps to influence that process and attract new talent. post-snowden that's not going to be as easy as it may have been pre. obviously, the kinds of people who, i think, are attracted to this kind of work, many of them may have a sort of anti-authoritarian streak -- [laughter] and they may not necessarily be the ones who are that interested in signing up for this. that said, the military is also another source of recruitment, and i write about a number of soldiers in the book who became cyber warriors. and for them, i think the draw of service and also being part of a new kind of war and a new
8:49 am
kind of warfare is very alluring. and i think the nsa will have a lot of success recruiting from the ranks of the military for these operations. >> wow. >> yes, sir. our last question. >> yeah. that's really amazing, what i'm hearing. you know, just to switch, to switch emphasis from this being a tremendous tool whereby we kill one another which is usually the emphasis to anything done now by the defense establishment, how to kill other people more successfully, what about in the field of medicine, the field of health? is there, is there, are there people working in the field specifically with health, trying to understand -- well, i know that there are people working with molecular structures and trying to understand it, but how far is that progress? and does the one feed off the other? i mean, is there any indication
8:50 am
that we can use this kind of technology to improve our health -- >> sure. >> -- scenario? >> so i'll give you one uplifting story, then i'll leave you with a scary one. [laughter] and a depressing one. so, certainly, in the realm of, you know, big data analytics and the kind of capabilities that we bring to bear on assessing threats to computer networks, absolutely. there's potential for that to conduct genetic modeling and sequencing and experimental drug treatments and all of that. there's tremendous promise in this level of, you know, high-powered computing that the nsa specializes in, you know, to do tremendous good. and scientists are, in fact, tapping into that in a kind of big data revolution. where my mind was going when you mentioned health care was the vulnerability of medical technology and medical devices. so homeland fans out there may remember the pacemaker. i'm not going to spoig anything, but the pacemaker plot line with the vice president? okay. there are people out there, i
8:51 am
actually interviewed one for the book, who kind of game out scenarios to train particularly people at nsa and network defenders. and this guy that i interviewed had a scenario whereby he said, okay, a foreign dignitary is coming to the united states for medical treatment at a, you know, pick your name brand hospital. people who want to kill him find out where he's staying, they hack into the prescription dispenser in the hospital that regulates his medication because these things are all now regulated -- and, by the way, many of them are connected to the internet for auditing purposes -- they change the dosage on his medication, the nurse gives him the wrong amount, and she kills him. so medical device security because of this internet of things is actually another place that people are very worried about. hospitals have been defined as a critical infrastructure sector the same way that the electrical grid and the financial system have been. so, you know, anything that is connected to the internet can be
8:52 am
manipulated, and there are people who are trying to head off people who would -- >> but aren't -- >> -- execute this dastardly scenario. >> yeah. i was thinking more from we have millions of cells in our body, and cancer is, you know, has just been impossible to track, you know, what is what, and, you know, how does it change. that's the kind of stuff i'm thinking of. >> yeah. >> not to kill some dweeb who ends up in -- >> right. >> -- in the hotel downtown and you want to take out. >> you're determined to make me leave this on an uplifting note. >> yeah, exactly. >> i would point back to the data mining and high-powered computing that can be used to track -- tackle some of these problems. cancer researchers are using the same kind of technology that can be deployed for less helpful ends, i guess we should say. >> right, right. i'll leave it to you to promote that field. >> okay. all right, thank you all very much, and i'll be happy to sign your books. [applause]
8:53 am
>> we have books behind the register, and we're going to form a signing line. [inaudible conversations] >> every weekend booktv offers programming focused on nonfiction authors and ask books. and books. keep watching for more here on c-span2 and watch any of our past programs online at booktv.org. >> and now joining us on booktv is dennis johnson who is the co-publisher of melville house. melville house is publishing the senate intelligence committee report on torture. mr. johnson, what's the purpose of publishing something that's in the public domain? >> guest: well, for one thing it's not

9 Views

info Stream Only

Uploaded by TV Archive on